The Department of Justice confirms the FBI operation that massively removed Chinese malware from thousands of computers in the U.S.

U.S. authorities have successfully disrupted the activities of a state-backed hacking group from China that had infiltrated millions of computers worldwide to steal information as part of a years-long espionage campaign. The Department of Justice and the FBI announced that during a court-authorized operation in August 2024, they successfully removed malware implanted by the hacking group known as "Twill Typhoon" or "Mustang Panda" from thousands of infected systems in the United States.

The operation was led by French authorities, with support from the Paris-based cybersecurity firm Sekoia. French prosecutors reported last year that the malware, called "PlugX," had infected several million computers globally, including 3,000 devices in France. Sekoia, in a blog post, stated that it developed the capability to send commands to infected devices to remove the PlugX malware.

U.S. officials indicated that this operation was carried out to eliminate the malware from over 4,200 infected computers in the country. In court records filed in a federal court in Pennsylvania, the FBI noted that it had been observing the presence of the malware, which is typically installed via a computer's USB port, since at least 2012 and that it has been used by state-backed hackers since 2014. Once installed, the malware's job is to "collect and prepare the victim's computer files for exfiltration," said the FBI. French authorities confirmed that the PlugX malware is particularly used for espionage purposes.

In the statement released, the U.S. Department of Justice accused the Chinese government of funding the Twill Typhoon group for the development of the PlugX malware. While no specific victims of this hacking campaign have been named, the FBI assured that Twill Typhoon had infiltrated the systems of "numerous" governmental and private organizations, including entities in the United States. Significant targets include shipping companies in Europe, various European governments, Chinese dissident groups, and several administrations in the Indo-Pacific region.

Twill Typhoon joins the growing list of state-backed hacking groups from China that operate under names including "Typhoon." This list highlights Volt Typhoon, a group tasked with preparing destructive cyberattacks, and Salt Typhoon, which has carried out a series of massive hacks on U.S. telecommunications and internet companies. According to Microsoft, which developed the naming system for these groups, Twill Typhoon (formerly known as "Tantalum") has been successful in compromising governmental machines in Africa and Europe, as well as humanitarian organizations worldwide.

This event adds to an extensive series of court-authorized operations carried out by U.S. authorities in recent years to counter the growing threat of foreign adversaries attacking U.S. devices. Throughout 2024, the FBI conducted several operations related to malware removal and the control of malicious botnets, aiming to disrupt China-backed campaigns targeting critical U.S. infrastructure. U.S. national security officials have previously described the Chinese government's offensive cyber capabilities as a "defining threat of our era."